Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Privacy Principles Applies After Death

Posted on August 5, 2019 by Jean Eaton in Blog

Are your staff looking at medical records when they shouldn’t be?

Many people have the mistaken impression they can look at a patient's medical records as long as they don’t tell anyone else.

You can’t.

We see over and over again in ‘snooping’ cases where seasoned and new healthcare providers and support team members don’t realize that looking at patient’s health information without a need to know that information to provide a health service right away is wrong.

Kate Dewhirst summarized this as

  • Privacy = don’t look
  • Confidentiality = don’t tell

We still need privacy awareness training – even those experienced healthcare providers who push back and say that they have been in the business for years still often have more to learn.

Yes, we still need privacy awareness training Click to Tweet

In this post I am sharing an example of the Ontario’s Information Privacy Commissioner (IPC) complaint investigation from the family of a deceased individual. Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

In 2014, a physician acting in his role as a coroner, accessed the deceased’s health record. Shortly thereafter, the family alleged that the physician, who was also a family member of the deceased, continued to access the deceased’s personal health information (PHI) contrary to Ontario’s Personal Health Information Protection Act (PHIPA).

The family submitted a complaint to the hospital. Initially, the hospital's response did not satisfy the family. The family filed a complaint to the Information and Privacy Commissioner (IPC) of Ontario.

The IPC started a complaint investigation.

Privacy Breach Investigation

Privacy Complaint Investigation

Under PHIPA, the hospital is a health information custodian and the physician is an agent of the hospital.

During the IPC investigation, the physician confirmed he “accessed the health information in response to his concern about the individual’s well-being.”

“I know now that proceeding in this way was misguided and wrong.” He would never disclose the information to anyone; that would be a violation of patient privacy and a breach of doctor – patient confidentiality.

The physician acknowledged he did not fully appreciate the related but distinct concepts of patient privacy, the circle of care, and the ‘need to know’ principle.

Confidentiality rights arise out the special relationship between the client and the health professional or provider.

In contrast, privacy rights are the general rights of all persons to limit the access to their PHI. Individuals have the right to privacy, even after death.

Individuals have the right to #privacy, even after death. Click to Tweet

4 Step Response Plan

The hospital received a complaint from the family, which triggers the first step to spot and stop the breach.

Secondly, the hospital did an initial investigation to evaluate the risks of the incident. Later, after the IPC initiated their complaint investigation, the hospital re-visited the internal investigation and completed a comprehensive review and used audit log reporting tools to assist them.

Eventually, the hospital took the third step and notified the individuals’ family of the privacy breach. However, the notification was not timely. A more comprehensive response to the families’ complaint, followed by a notice to the family may have provided a better response.

Preventing a similar breach is the fourth step.

Since this incident, the hospital has:

  • installed a new auditing program that considerably enhances its ability to detect unauthorized access.
  • updated its Privacy and Confidentiality Policy, which applies to all agents of the hospital.
  • developed a yearly electronic privacy training program for all staff, volunteers and learners and will require all credentialed physicians to complete this training as part of the annual reappointment process.
  • strengthened the privacy warning on its electronic system, which warns users that unauthorized use of personal health information may result in disciplinary action.

Privacy Breach Physician Sanctions

 

The hospital’s Medical Advisory Committee recommended to the Board of Directors that the physician’s privileges be suspended for three months, that the hospital conduct enhanced monitoring of the physician’s access to the electronic medical record for three years, and that, on his return to practice, the physician be required to present at Grand Rounds on the topic of privacy.

The IPC concluded that the disciplinary consequences for the physician were sufficient in the circumstances.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Privacy awareness education is more than just having policies and procedures. Demonstrating good practices, regular discussion about examples, and even gamification helps to ensure that all members of your healthcare team understand their roles and responsibilities.

If you need to start or update your privacy awareness training program, check out the on-line education Privacy Awareness in Healthcare: Essentials.

If you need to start or update your privacy breach management program, check out the 4 Step Response Plan; Prevent Privacy Breach Plan.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE Training Video "Can You Spot the Privacy Breach?"

References and Resources

Dewhirst, Kate. After Death: Who Can Access The Records Of A Patient After Death? May 7, 2019. https://katedewhirst.com/blog/2019/05/07/after-death-who-can-access-the-records-of-a-patient-after-death/

Ontario Information and Privacy Commissioner IPC Investigation Report PHIPA DECISION 74 HC15-4 Sault Area Hospital August 10, 2018.

#PrivacyBreachNugget, 4 Step Response Plan, clinic, complaint investigation, death, deceased, healthcare, IPC, medical, Ontario, PHIPA, privacy, privacy after death, privacy awareness training, privacy breach, privacy breach nugget, privacy principles

Curiosity Is NOT Need-To-Know

Posted on February 18, 2019 by Jean Eaton in Blog

I am often asked if it is ‘OK’ to look up patients information on Netcare when the patient hasn’t been seen for some time and the care provider wants to know how they are doing.

Let me be clear: If you are not currently providing a health service to the patient in a current episode of care, you must not look up that patient’s information on Netcare or any other EMR or paper system.

The patient has a right to privacy – which means don’t look unless you have a need to know.

Curiosity is not a legitimate need to know. That is snooping!

You Can Use This Privacy Breach Example to Review and Improve Your Practices

Pro-active Auditing Reveals Snooping in Sask eHealth

What Happened

On April 6, 2018, a highway collision occurred involving the hockey team Humboldt Broncos which left 16 dead and 13 injured.

The trustee of the Saskatchewan Electronic Health Record Viewer, eHealth, pro-actively audited their electronic health record system to identify potential unauthorized use of the system by authorized users.

eHealth detected that two physicians and an administrator at the Humboldt Clinic Limited inappropriately accessed the personal health information of two individuals involved in a collision involving the Humboldt Broncos.

The auditing revealed that there were many instances where access was made between April 7 and April 10 to the records of two patients. The records belonged to two individuals who died in the crash on April 6.

The physicians had provided care to the individuals in January of 2018 but were not involved in providing care to them on or about April 6. The physicians’ access was prompted because of their ‘concern’ for the individuals.

[click_to_tweet tweet=”Curiosity is NOT need-to-know! The patient has a right to privacy – which means don’t look unless you have a need to know to provide a current health service to the patient. @InfomanLtd #PrivacyBreach #Privacy #PrivacyBreachNugget” quote=”Curiosity is NOT need-to-know! “]

Clearly, these users of the Viewer were not currently providing care and treatment to the patients.

The access of the Viewer in this example not a legitimate need-to-know under Saskatchewan’s The Health Information Protection Act (HIPA).

eHealth reported these privacy breaches to the Information and Privacy Commissioner (IPC) of Saskatchewan.

4 Step Response Plan

The trustee, eHealth, undertook the first step to respond to a privacy breach by spotting and stopping the breach. The audit identified the breach. Then eHealth contained the breach by suspending or terminating access to the Viewer.

Secondly, eHealth appropriately notified the individuals’ next of kin of the privacy breach.

The third step is to investigate the breach. eHealth notified the IPC of the breach. The clinic, however, did not investigate the cause of the privacy beach.

Preventing a similar breach is the fourth step. The clinic has privacy policies and a privacy training strategy. The eHealth Viewer also has online training for its users.

IPC Recommendations

Subsequent to its investigation, the Saskatchewan IPC observed that the training had not prevented this breach.

The IPA recommended that the clinic provide further training to its employees and contractors on the need-to-know principle. Additionally, the clinic is recommended to document the privacy breaches and the lessons learned to prevent a similar privacy breach.

Reference: Saskatchewan IPC Investigation Report 177-2018, January 29, 2019

Privacy Breach Nuggets You Need to Know

There are many privacy breaches in the news each day. The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain.

Privacy education is more than just having policies and procedures. Demonstrating good practices, regular discussion about examples, and even gamification helps to ensure that all members of your healthcare team understand their roles and responsibilities.

If you need to start or update your privacy breach management program, check out the 4 Step Response Plan; Prevent Privacy Breach Pain.

“When we know better, we can do better”

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

#digitalhealth, clinic, healthcare, HIPA, Humboldt, medical, privacy breach, privacy breach nugget

How NOT to Respond to a Privacy Complaint!

Posted on January 18, 2018 by Jean Eaton in Blog

Do your staff know how to respond to a privacy complaint? Do your staff, volunteers, or directors login to a server to access documents remotely? Have you done a security assessment to ensure that the access is secure? Do they know how to manage confidential documents once they have downloaded them?

You Can Use This Privacy Breach Example to Review and Improve Your Practices

Do you store confidential documents on your website? After all, a website is a type of a file server accessible from an internet connection that is often hosted by a third party. There is often a public access and a members-only side for authorized users to login and view and download documents.

Maybe you intended only authorized users to access the file – but are you sure that it is secure? Here's what can happen if your confidential documents can be found by the public!

In 2016, personal information of the 285 clients was compiled into an electronic file, prepared for the service’s board of directors on new cases arising between April and November of 2015, but was not properly secured on the agency’s website. The files were subsequently viewed by the public.

What happened

An alleged privacy breach at Family and Children’s Services of Lanark, Leeds and Grenville (FCSLLG) of Brockville, Ontario in 2016 has led to the agency being sued for negligence, invasion of privacy and a breach of the Canadian Charter of Rights and Freedoms.

The personal information of the 285 clients was compiled into an electronic file, and prepared for the service’s board of directors to review in the course of their business.

The list was publicly available to anyone, who knew the correct URL website address.

Someone accidently ‘found’ the website address and saw the confidential information. She notified the FCSLLG and warned them that the information was available to the public. When she did not receive a response from FCSLLG that acknowledged her concern and correct the problem, she posted the information on Facebook.

[clickToTweet tweet=”If you ignore a #PrivacyBreach, this could happen to you!” quote=”If you ignore a privacy complaint, this could happen to you!”]

The lawsuit seeks $25 million in general damages, $25 million in special damages and $25 million in punitive, aggravated and exemplary damages.

The lawsuit alleges that the FCSLLG website was completely unsecured between February and April 2016, with the full knowledge of FCSLLG.

Privacy Nuggets You Need to Know

We can only wonder about the outcome of the breach if the staff at the agency had promptly responded to the privacy breach complaint. It is possible that if the agency had secured the information immediately and limited any further disclosure that the law suit might had been avoided.

  • Know how to properly respond to a privacy and security complaint or privacy breach. Create or review your written procedures now!
  • Identify and train a privacy officer in your business.

This unfortunate breach is a good reminder for all businesses to follow-up with your information technology and website host support to ensure that your server has been properly secured and training provided to staff to properly upload files to the secure server. In addition:

  • Consider hiring a managed service provider to ensure secure access only to authorized users. If you allow remote access to confidential information, you can’t afford not to have experts to help you!
  • Know how to secure documents on your file server.
  • Make sure that your authorized users know how to securely manage the documents after they have downloaded them from your secure file server.

There are many privacy breaches in the news each day. The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain.

When we know better, we can do better

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

Ready for help now? Register for the FREE training video “Can You Spot the Privacy Breach?”

FREE 15-minute Privacy Breach Awareness On-line Training.

Along with your registration, you will also benefit from the occasional Privacy Nugget tips by email of similar privacy resources and articles that you can use right away!
Read More

healthcare, medical, privacy breach, privacy breach nugget, privacy complaint, privacy nuggets

iPhone Stolen with 412 Patient Health Records

Posted on April 17, 2017 by Jean Eaton in Blog

Do you authorize the use of mobile devices in your healthcare practice? Remember to safeguard privacy on mobile devices and prevent a privacy breach.

You Can Use This Privacy Breach Example to Review and Improve Your Practices

A business associate (contractor) of the Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia had their iPhone stolen. This iPhone contained unprotected and unencrypted Personal Health Information (PHI). The U.S. Department of Health and Human Services Office for Civil Rights (OCR) started their investigation on April 17, 2014, and found that a total of 412 patient health records were compromised.

Protected Health Information at Risk

The data on the iPhone included security data, protected health information, social security numbers, family member contacts, treatment, and medication details.

Before a healthcare provider (also known as the custodian) authorizes the use of mobile devices to manage patient records, they must conduct a specific risk assessment to (1) determine the threats of mobile technology and (2) secure the data. Reasonable safeguards include written policies and procedures that authorize the use of mobile technology and identify the risks, as well as a mitigation strategy (including additional training to the employees using mobile technology) to ensure that they are aware of the added security risk. The incident investigation found that CHCS did not have these reasonable safeguards in place.

[clickToTweet tweet=”Are you using mobile devices in your #healthcare practice? This #PrivacyBreach could happen to you!” quote=”Are you using mobile devices in your healthcare practice? This privacy breach could happen to you!”]

$650,000 Fine

The OCR fined CHCS $650,000 and imposed monitoring of the business associate and CHCS to ensure compliance with HIPAA regulations for the next two years.

Privacy Breaches – What You Need to Know

This use of mobile devices in healthcare is common and breaches are easily preventable. The following information will help you to prevent a privacy breach.

  1. Policies and Procedures. You need a policy that states whether or not you allow employees to use their own mobile devices at work, and if so, for what purpose(s). (This is also known as bring your own device or BYOD.) This includes texting co-workers during work hours or accessing their work email from their smart phone. If you provide mobile devices to your employees so that they can do their jobs remotely (from their home office or when attending clients away from your practice), you must also conduct a specific threat risk assessment to determine the threats of mobile technology, secure the data, and implement reasonable safeguards.

Generally, when a mobile device containing personal identifying information is lost or stolen, the device must have both a strong password protection and encryption to not be considered a breach of personally identifying information.

  1. Training. It is important that you provide specific training to your staff to ensure that they understand the additional specific risk of having personal information on mobile devices. Employees must know their responsibilities to protect the personal information of your patients, clients, and your practice. The custodian should keep record attendance to ensure that training is provided.
  2. If you have contractors, vendors, or business associates who provide services and use mobile devices, you are responsible to ensure that they also have strong policies and training or follow your policies and training. In Alberta, make sure that you have an Information Manager Agreement (required by the Health Information Act (HIA) s.66) with your contractor, vendor, or business associate.

When we know better, we can do better

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

Ready for help now? Register for the FREE training video “Can You Spot the Privacy Breach?”

(7 minute video).

Read More

healthcare, iPhone stolen, iPone, medical, mobile devices, privacy breach, privacy breach nugget

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

Well it happened! We recently had a privacy breach. It was an ‘oops’ but never the less a privacy breach. I had started the 4 Step Response Plan - Prevent Privacy Breach Pain but thought I had time to go through it. Unfortunately not. Your course has been a godsend with all the information and forms that I need to work through this privacy breach and notifying process.

- Nancy D.

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2022 Information Managers Ltd.

Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}